11.2.4.20. How to specify the encryption scheme of SSL communication (TLS1.2-DHE-RSA-AES-128-SHA256)
| Operation Confirmed Version: |
|---|
| | Citrix Netscaler VPX Version11.0 Build67.12 Standard Edition |
Method to change the encryption scheme of SSL communication will be introduced here.
If the encryption strength is weak, the communication cannot be concealed and has higher risk of interception or alteration. For communication, the same level of encryption has to be usable in the client (user) side.
Presumed case for sample setting
Note
In this scenario, 2048 bit DH Key prepared in advance is used and the key is exchanged by DH Method.
Select the Virtual Server to change the setting and click the [ Edit ] button.
The details screen of the Virtual Server will be displayed. Click the Edit icon in the [ SSL Ciphers ].
Note
If items of SSL Ciphers are not displayed, select [ +SSL Ciphers ] from [ Advanced Settings ] in the right side of the screen.
Specify the following encryption scheme on the SSL Ciphers screen.
Setting Items
|
Setting value
|
| Configured |
TLS1.2-DHE-RSA-AES-128-SHA256 (encryption scheme to specify)
|
Click the [ +Add ] button from the SSL Ciphers screen.
The List of Available Ciphers screen will be displayed. Select [ TLS1.2-DHE-RSA-AES-128-SHA256 ] from [ ALL ] and click the right triangle to move the target [ Cipher Suite ] to [ Configured ].
The specified encryption scheme is added to the right side. Delete [ DEFAULT ] that is already set, by clicking “-” mark.
Note
As we want to use the specified encryption level [ TLS1.2-DHE-RSA-AES-128-SHA256 ] only, other items are removed from the Settings.
When addition in the right side of the screen is complete, click [ OK ].
Note
It is also possible to select multiple encryption levels here. Multiple encryption levels can be enabled by adding encryption levels you want to use in the right side of the screen.
The details screen of the Virtual Server will be displayed. Check that [ TLS1.2-DHE-RSA-AES-128-SHA256 ] is displayed in [ Configured ] of [ SSL Ciphers ].
Click the Edit icon in the [ SSL Parameters ] to set the DH Key.
Note
If items of SSL Parameters are not displayed, select [ +SSL Parameters ] from [ Advanced Settings ] in the right side of the screen.
The following settings are made on SSL Parameters screen. Click the [ OK ] button.
Setting Items
|
Setting value
|
| Enable DH Param |
Check mark
|
| File Path |
Specify DH Key from the [ Browse ] button.
|
We will be brought back to the SSL Parameters screen. Click the [ Done ] button in the bottom right corner of the page.
On the Virtual Server screen, check that the target [ State ] and the [ Effective State ] are [ Up ].
This completes the setting to specify the encryption scheme for SSL communication.
Connection check by Openssl
From the Virtual PC to the Virtual Server, execute the following command from Openssl.
openssl s_client -connect 192.168.200.200:443 -showcerts
It was confirmed that the connection is made by the specified encryption scheme.
